- stage: Fortify
jobs: -
job: SAST
timeoutInMinutes: 20
pool:
name: Fortify
steps:- checkout: self
# Fortify scan
- task: FortifySCA@7
displayName: 'SAST - FortifySCA'
inputs:
licenseFile: 'F:\fortify\fortify.license'
applicationType: 'java'
buildSourceVersion: '11'
fortifyBuildId: '${{ parameters.servicename }}-fortify'
fortifyScanType: 'LocalScan'# Export results in HTML format
- task: CmdLine@2
displayName: 'SAST Fortify Report Generation'
inputs:
script: >-
BIRTReportGenerator -template "Developer Workbook"
-source $(Build.ArtifactStagingDirectory)/sca_artifacts/${{ parameters.servicename }}-fortify.fpr
-format HTML
--UseFortifyPriorityOrder
-output $(Build.ArtifactStagingDirectory)/sca_artifacts/${{ parameters.servicename }}-fortify-report.html# Publish Fortify results as pipeline artifact
- publish: $(Build.ArtifactStagingDirectory)/sca_artifacts/${{ parameters.servicename }}-fortify-report.html
artifact: FortifyReport
Implementation
Fortify SCA executes it vulnerability test by looking at the JAVA pom.xml file which contains all the dependencies. As the scanning is performed at the code level, the best practice is that it is performed as early as possible. This is achieved by running the scan after the code checkout, as to stop further processing of the build in case vulnerabilities are detected.
How the Fortify task works
Fortify works by analyzing the JAVA libraries for any known vulnerabilities. Required installed extension - Micro Focus Fortify. It is a white-box testing tool, it identifies the root cause of vulnerabilities and helps remediate the underlying security flaws. SAST solutions analyze an application from the “inside out” and do not reed a running system to perform a scan.
Fortify Agent
For the possibility to run Fortify task our project was provided with a special Agent from Security Team. The agent should be pointed in the “pool” section of pipelines and added to the project where you plan to use this task.
Pool configuration
pool:
name: Fortify
Task Usage Example
Official task documentation page: FortifySCA@7
Task 'SAST Fortify Report Generation' is used for converting scanning results to HTML format.
Quality Gates
The standard quality gates for Fortify Java language are used.
Limitation
The current Fortify SCA implementation has a limitation that reports are not sent back to Azure DevOps. For this purpose verification of Fortify report needs to occur manually on schedule.
The suggested schedule is:
- Verify and fix vulnerabilities reported before promoting code from Dev to QA environment
- Verify and fix vulnerabilities reported before promoting code from UAT to Production environment
As the reports need to be fetched manually on the Fortify server, it is recommended to coordinate with Info Sec team on a scheduled dates through the DevOps team.
Share with your friends and followers
Start blogging about your favorite technologies, reach more readers and earn rewards!
Join other developers and claim your FAUN account now!
Deepanshu katara
Devops Team Leader, EPAM
@dkatara_pandit123
User Popularity
5
Influence
393
Total Hits
1
Posts
Read, Learn, Know, Teach
Hand curated newsletters for Developers, private Slack with like minded people, podcasts, job offers, news and more!
Only registered users can post comments. Please, login or signup.